NASA Still Falling Short on IT Security

Unencrypted laptops, unpatched software and advanced attacks from hackers are putting U.S technical know-how at risk if NASA doesn't take a stronger IT security stance, according to a report released on Wednesday by the agency's inspector general.

NASA is a regular target of cyber attacks due to its more than 550 systems that house "information highly sought after by criminals," wrote NASA Inspector General Paul K. Martin.

Martin's testimony before a subcommittee of the House Committee on Science, Space and Technology summarized previous Inspector General audits of NASA IT security and made recommendations for the space agency.

NASA reported 5,408 computer security incidents in 2010 and 2011 that resulted in either malicious software installed on its systems or unauthorized intrusions, Martin wrote.

The resulting theft of export-controlled data and other information cost the agency more than US$7 million, Martin wrote.

"NASA needs to improve agency-wide oversight of the full range of its IT assets," he wrote.

One problem area: laptops. As of the beginning of this month, only 1 percent of NASA's laptops and portable devices were encrypted. Between April 2009 and April 2011, 48 mobile computing devices with sensitive data were stolen or lost, the report said.

In another area of weakness, only 24 percent of applicable computers on a mission network were monitored for critical software patches, the report said. Only 62 percent were monitored for technical vulnerabilities, according to an Inspector General audit from May 2010.

In fiscal 2011, NASA was also targeted by 47 "advance persistent threats," or cyber attacks that seek to steal data while being undetected for a long period of time.

Thirteen of those attacks successfully compromised agency computers, Martin wrote. In one of those attacks, intruders stole credentials of more than 150 NASA employees, which could have been used to gain access to NASA systems.

Another attack, which originated from Chinese-based IP (Internet Protocol) addresses, targeted the Jet Propulsion Laboratory. In that attack, the intruders "gained full access to key JPL systems and sensitive user accounts."

"The attackers had full functional control over these networks," the report said.

In another area, auditors found that NASA failed to properly erase computers used for the Space Shuttle program before offering the machines for sale.

Investigators discovered "excessed hard drives in an unsecured dumpster accessible to the public at one center," the report said.